multi tenancy / teams resources isolation
Hi
I need to develop a multi tennat app with isolation. Each customer system shall send information to the db using the api.
My first idea was that Each customer will be a team.
- According to the documenting I shall use api key and not jwt token. But in this method there is security risk as the data will be exposed to all customers (teams). Using jwt with the admin user of a team (if possible) has rate limits which creates another problem.
Is there a solution for currently or any plan to solve this issue?
Is it a way to automatically provision a docker for each customer with pre configured db, functions etc.
What is the right way to solve it?
Thank you
You can grant access to a document only to a specific user and allow read/edit/delete only to a specific person or just the creator, that way, nobody else will have access. Teams is to manage permissions of a group of persons
So if you just need to grant access to one person, the don't create a team
I need to update documents thru the rest api. The information is of a team (customer) and not of specific user.
The issue is that the api key is not limited to a team and provides access to entire project
This can be a security leakage if multipile customers are using same app/system...
What is the solution for that? Thanks
The solution is authenticating the user individually, instead of using the API key
For each customer I'll have a local service that needs to write to documents of his specific team access only. Authenticating by user :
- User can be deleted and than this solution won't work. I think that there is way with the api allocate users that are the admin , need to verify it.
- Second problem is that user has rate limit. Which can cause that documents won't be updated.
According to the documenting I shall use api key and not jwt token. The documentation means that only for creating the database or collection and not for updating a document. So the general flow is:
- User registers to your app.
- During the registration, you make a call to a backend (which can be a appwrite function).
- You authenticate the requests. You can use jwt tokens for this and make any additional checks such as making sure they haven't created a database before.
- You create a database for the user with appropriate permissions.
- You do updates as D5 suggested.
Also the user will not be deleted unless if you delete it
Or the user deleted itself
As for the rate limit, there isn't one for creating a document/collection. The rate limit for updating is 120 requests/second for each user which should be more than enough for most use cases.
The service that will use the rest api is a windows service and not a mobile app/web app.. that's the reason I tried to find different solution than authentication with jwt.. I understand that this is the only available solution. Thank you
You could make plain HTTP requests.
I am sorry but it looks like I misunderstood. Why would you need jwt authentication?
Using plain HTTP requests can do the trick, you can store the cookie and use it
My conclusion is that currently appwrite is not supporting application of multi tenancy.
What is missing is that the apikey will have permission for specific "team" and to entire project otherwise its a Security breach.
According to the documention the users api requires api key, only acount api support jwt.
I need that my app will be able to manage whole users of a team (create, list, delete) and excute crud operations but won't have access to other teams resources.
Is this currently supported? Or going to be supported?
This very critical for my customers from cybersecuirty aspects that the customer data will be isolated from other customers.
I would like to work with appwrite and I'm not sure that it currently mature for such an application.
Please advice
Thanks
https://dev.to/appwrite/30daysofappwrite-accounts-users-api-4592
multi tenancy / teams resources isolation
you should be accessing data as a user (session/jwt) and access should be restricted based on teams
Is there is any list which api's are supported in this way? Or whole of them will work according the team permission? Thank you Stevan
what do you mean?
My application need to manage team users and crud from a client side? Is it possible?
use an Appwrite Function to expose limited operations client side
Thanks i'll try it out
P.s. - do you have any example for such implementation?
Thank you very much for your assistant and support
